Migrate Windows code signing from client secret to OIDC#12911
Merged
Conversation
00d79d2 to
bd12a06
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates Windows release code signing in the deployment workflow from client-secret auth to OIDC-based authentication using azure/login@v2, aligning with the Trusted Signing/DefaultAzureCredential flow and removing long-lived secrets from the workflow.
Changes:
- Add
azure/login@v2(production-only) to establish an Azure auth session for code signing via OIDC. - Remove
AZURE_CLIENT_SECRETfrom Windows.exe(GoReleaser) and.msisigning environments. - Keep
AZURE_CLIENT_ID/AZURE_TENANT_IDenvironment variables for identity selection.
Comments suppressed due to low confidence (1)
.github/workflows/deployment.yml:226
azure/login@v2only runs forproduction, but the GoReleaser build step still setsDLIB_PATH/METADATA_PATHunconditionally. Since.goreleaser.ymlalways runspwsh .\script\sign.ps1as a post-hook for Windows builds, staging runs will still attempt to code-sign but won’t have an authenticated Azure session (and may also not have these environment-scoped secrets), which is likely to fail the build. Consider only settingDLIB_PATH/METADATA_PATH(and Azure env vars, if only needed for signing) wheninputs.environment == 'production', soscript/sign.ps1reliably skips signing outside production, or alternatively runazure/loginfor all environments where signing is expected to occur.
- name: Authenticate to Azure for code signing
if: inputs.environment == 'production'
uses: azure/login@v2
with:
client-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
tenant-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
allow-no-subscriptions: true
# Azure Code Signing authenticates via OIDC (azure/login above). AZURE_CLIENT_ID and AZURE_TENANT_ID
# are still passed so DefaultAzureCredential can identify the service principal.
- name: Build release binaries
shell: bash
env:
AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
TAG_NAME: ${{ inputs.tag_name }}
run: script/release --local "$TAG_NAME" --platform windows
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
babakks
approved these changes
Mar 12, 2026
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Mar 24, 2026
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [cli/cli](https://github.com/cli/cli) | minor | `v2.87.3` → `v2.88.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>cli/cli (cli/cli)</summary> ### [`v2.88.1`](https://github.com/cli/cli/releases/tag/v2.88.1): GitHub CLI 2.88.1 [Compare Source](cli/cli@v2.88.0...v2.88.1) #### Fix `pr` commands failing with `read:project` scope error v2.88.0 introduced a regression where `pr` commands would fail with the error: ``` error: your authentication token is missing required scopes [read:project] To request it, run: gh auth refresh -s read:project ``` Previously, missing read:project scope was gracefully handled, and project data was silently skipped. A change inadvertently broke the error matching that enabled this graceful degradation. v2.88.1 reverts these changes so that `pr` commands work correctly without requiring the `read:project` scope. #### What's Changed - Migrate Windows code signing from client secret to OIDC by [@​BagToad](https://github.com/BagToad) in [#​12911](cli/cli#12911) - Revert "refactor: deduplicate scope error handling between api/client.go and project queries" by [@​williammartin](https://github.com/williammartin) in [#​12914](cli/cli#12914) - Revert "fix: clarify scope error while creating issues for projects" by [@​williammartin](https://github.com/williammartin) in [#​12915](cli/cli#12915) **Full Changelog**: <cli/cli@v2.88.0...v2.88.1> ### [`v2.88.0`](https://github.com/cli/cli/releases/tag/v2.88.0): GitHub CLI 2.88.0 [Compare Source](cli/cli@v2.87.3...v2.88.0) ####Request Copilot Code Review from `gh` <img width="80%" height="80%" alt="image" src="proxy.php?url=https%3A%2F%2Fgithub.com%2F%3Ca+href%3D"https://github.com/user-attachments/assets/c9b86700-5934-44b6-9210-227495a18d8e">https://github.com/user-attachments/assets/c9b86700-5934-44b6-9210-227495a18d8e" /> `gh pr create` and `gh pr edit` now support [Copilot Code Review](https://docs.github.com/en/copilot/using-github-copilot/code-review/using-copilot-code-review) as a reviewer. Request a review with `--add-reviewer @​copilot`, or select Copilot interactively from the searchable reviewer prompt. Create a pull request and request review from Copilot: ``` gh pr create --reviewer @​copilot ``` Edit a pull request and request review from Copilot: ``` gh pr edit --add-reviewer @​copilot ``` #### Close issues as duplicates with `gh issue close --duplicate-of` You can now close issues as duplicates and link to a duplicate issue directly from the CLI. The new `--duplicate-of` flag accepts an issue number or URL and marks the closed issue as a duplicate of the referenced one. You can also use `--reason duplicate` to set the close reason without linking a specific issue. ``` # Close as duplicate, linking to the original issue gh issue close 123 --duplicate-of 456 # Close with duplicate reason only gh issue close 123 --reason duplicate ``` #### JSON support for `gh agent-task` `gh agent-task list` and `gh agent-task view` now support `--json`, `--jq`, and `--template` flags, consistent with other `gh` commands. ``` gh agent-task list --json id,name,state gh agent-task view <id> --json state --jq '.state' ``` #### What's Changed ##### ✨ Features - `gh pr create`: login-based reviewer requests and search-based interactive selection by [@​BagToad](https://github.com/BagToad) in [#​12627](cli/cli#12627) - `gh pr view` and `gh issue view`: show friendly display names for all actors by [@​BagToad](https://github.com/BagToad) in [#​12854](cli/cli#12854) - `gh issue close`: add `--duplicate-of` flag and duplicate reason by [@​tksohishi](https://github.com/tksohishi) in [#​12811](cli/cli#12811) - `gh pr diff`: add `--exclude` flag to filter files from diff output by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12655](cli/cli#12655) - `gh pr view/list`: add `changeType` field to files JSON output by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12657](cli/cli#12657) - `gh repo clone`: add `--no-upstream` flag by [@​4RH1T3CT0R7](https://github.com/4RH1T3CT0R7) in [#​12686](cli/cli#12686) - `gh repo edit`: add `--squash-merge-commit-message` flag by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12846](cli/cli#12846) - `gh browse`: add `--blame` flag by [@​masonmcelvain](https://github.com/masonmcelvain) in [#​11486](cli/cli#11486) - `gh agent-task list`: add `--json` support by [@​maxbeizer](https://github.com/maxbeizer) in [#​12806](cli/cli#12806) - `gh agent-task view`: add `--json` support by [@​maxbeizer](https://github.com/maxbeizer) in [#​12807](cli/cli#12807) - `gh copilot`: set `COPILOT_GH` env var when launching Copilot CLI by [@​devm33](https://github.com/devm33) in [#​12821](cli/cli#12821) ##### 🐛 Fixes - Fix `gh project item-edit` error when editing Draft Issue with only one (`--title`/`--body`) flag by [@​ManManavadaria](https://github.com/ManManavadaria) in [#​12787](cli/cli#12787) - Fix extension install error message showing raw struct instead of `owner/repo` by [@​Copilot](https://github.com/Copilot) in [#​12836](cli/cli#12836) - Fix incorrect integer conversion from int to uint16 in port forwarder by [@​BagToad](https://github.com/BagToad) in [#​12831](cli/cli#12831) - Fix invalid ANSI SGR escape code in JSON and diff colorization by [@​BagToad](https://github.com/BagToad) in [#​12720](cli/cli#12720) - Fix assignees `databaseId` always being `0` in `--json` output by [@​srt32](https://github.com/srt32) in [#​12783](cli/cli#12783) - Fix error when `--remote` flag used with repo argument by [@​majiayu000](https://github.com/majiayu000) in [#​12375](cli/cli#12375) - Fix redundant API call in `gh issue view --comments` by [@​VishnuVV27](https://github.com/VishnuVV27) in [#​12652](cli/cli#12652) - Clarify scope error while creating issues for projects by [@​elijahthis](https://github.com/elijahthis) in [#​12596](cli/cli#12596) - Reject pull request-only search qualifiers in `gh issue list` by [@​LouisLau-art](https://github.com/LouisLau-art) in [#​12623](cli/cli#12623) - Prevent `.git/config` corruption on repeated `issue develop --name` invocation by [@​gunadhya](https://github.com/gunadhya) in [#​12651](cli/cli#12651) - Use pre-compiled regexp for matching Content-Type by [@​itchyny](https://github.com/itchyny) in [#​12781](cli/cli#12781) - Isolate generated licenses per platform (os/arch) by [@​babakks](https://github.com/babakks) in [#​12774](cli/cli#12774) ##### 📚 Docs & Chores - Add examples to `gh issue close` help text by [@​BagToad](https://github.com/BagToad) in [#​12830](cli/cli#12830) - Customizable install `prefix` in Makefile by [@​scarf005](https://github.com/scarf005) in [#​11714](cli/cli#11714) - Deduplicate scope error handling between `api/client.go` and project queries by [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) in [#​12845](cli/cli#12845) - Remove unnecessary `StateReason` and `StateReasonDuplicate` feature detection by [@​BagToad](https://github.com/BagToad) in [#​12838](cli/cli#12838) - Update Go version requirement to 1.26+ by [@​BagToad](https://github.com/BagToad) in [#​12864](cli/cli#12864) - Add monthly pitch surfacing workflow by [@​tidy-dev](https://github.com/tidy-dev) in [#​12894](cli/cli#12894) #####
Dependencies - Bump Go from 1.25.7 to 1.26.1 by [@​BagToad](https://github.com/BagToad) in [#​12860](cli/cli#12860) - chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12886](cli/cli#12886) - chore(deps): bump google.golang.org/grpc from 1.79.1 to 1.79.2 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12851](cli/cli#12851) - chore(deps): bump github.com/docker/cli from 29.0.3+incompatible to 29.2.0+incompatible by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12842](cli/cli#12842) - chore(deps): bump google.golang.org/grpc from 1.78.0 to 1.79.1 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12759](cli/cli#12759) - chore(deps): bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12760](cli/cli#12760) - chore(deps): bump actions/upload-artifact from 6 to 7 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12797](cli/cli#12797) - chore(deps): bump actions/download-artifact from 7 to 8 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12796](cli/cli#12796) - chore(deps): bump actions/attest-build-provenance from 3.2.0 to 4.1.0 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12795](cli/cli#12795) - chore(deps): bump github.com/gabriel-vasile/mimetype from 1.4.11 to 1.4.13 by [@​dependabot](https://github.com/dependabot)\[bot] in [#​12615](cli/cli#12615) #### New Contributors - [@​srt32](https://github.com/srt32) made their first contribution in [#​12783](cli/cli#12783) - [@​itchyny](https://github.com/itchyny) made their first contribution in [#​12781](cli/cli#12781) - [@​VishnuVV27](https://github.com/VishnuVV27) made their first contribution in [#​12652](cli/cli#12652) - [@​elijahthis](https://github.com/elijahthis) made their first contribution in [#​12596](cli/cli#12596) - [@​ManManavadaria](https://github.com/ManManavadaria) made their first contribution in [#​12787](cli/cli#12787) - [@​maxbeizer](https://github.com/maxbeizer) made their first contribution in [#​12806](cli/cli#12806) - [@​LouisLau-art](https://github.com/LouisLau-art) made their first contribution in [#​12623](cli/cli#12623) - [@​4RH1T3CT0R7](https://github.com/4RH1T3CT0R7) made their first contribution in [#​12686](cli/cli#12686) - [@​yuvrajangadsingh](https://github.com/yuvrajangadsingh) made their first contribution in [#​12657](cli/cli#12657) - [@​masonmcelvain](https://github.com/masonmcelvain) made their first contribution in [#​11486](cli/cli#11486) - [@​scarf005](https://github.com/scarf005) made their first contribution in [#​11714](cli/cli#11714) - [@​tksohishi](https://github.com/tksohishi) made their first contribution in [#​12811](cli/cli#12811) - [@​tidy-dev](https://github.com/tidy-dev) made their first contribution in [#​12894](cli/cli#12894) **Full Changelog**: <cli/cli@v2.87.3...v2.88.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42MS43IiwidXBkYXRlZEluVmVyIjoiNDMuNjQuMyIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiUmVub3ZhdGUgQm90IiwiYXV0b21hdGlvbjpib3QtYXV0aG9yZWQiLCJkZXBlbmRlbmN5LXR5cGU6Om1pbm9yIl19-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces
AZURE_CLIENT_SECRET-based authentication for Windows code signing with OIDC federated identity credentials viaazure/login@v2.Changes
azure/login@v2step before signing (production only) to establish OIDC sessionAZURE_CLIENT_SECRETfrom both the .exe signing (GoReleaser) and .msi signing stepsAZURE_CLIENT_IDandAZURE_TENANT_IDenv vars forDefaultAzureCredentialidentificationPre-requisites completed
cli/cli(repository_owner_id,repository_id,context)id-token: writepermission already present at workflow levelCompanion work
Modeled after desktop's identical migration: desktop/desktop#21786
Notes for reviewer
Please see the successful test run using this workflow: https://github.com/cli/cli/actions/runs/22981502108/job/66722159067